Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch libinput for CVE-2026-50292 [HIGH] - branch 3.0-dev" microsoft#17646

CBL-Mariner-Bot · azurelinux-security · Kshitiz Godara · web-flow · commit 425af168e42a · 2026-06-08T07:23:34.000-07:00
Co-authored-by: Azure Linux Security Servicing Account &lt;azurelinux-security@microsoft.com&gt;
Co-authored-by: Kshitiz Godara &lt;kgodara@microsoft.com&gt;
diff --git a/SPECS/libinput/CVE-2026-50292.patch b/SPECS/libinput/CVE-2026-50292.patch
@@ -0,0 +1,114 @@
+From 9ef7fa46ccf201dedbd657436103c88e86e8cdd2 Mon Sep 17 00:00:00 2001
+From: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Sat, 6 Jun 2026 12:35:26 +0000
+Subject: [PATCH] libinput-device-group: sanitize phys before printing it
+
+A malicious uinput device could set the phys value (via UI_SET_PHYS)
+to contain a '\n'. When the value is printed as part of the device group
+the udev rules will interpret it as separate property.
+
+Depending on the property this can cause local privilege escalation.
+
+Closes #1296
+
+Found-by: Csome
+(cherry picked from commit 76f0d8a7f57e2868882864b4611281f12f704b55)
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: AI Backport of https://gitlab.freedesktop.org/libinput/libinput/-/commit/b2bde9504d42a5976d76e1f27c640dc561fbd99b.patch
+---
+ udev/libinput-device-group.c | 34 ++++++++++++++++++++++++++++------
+ 1 file changed, 28 insertions(+), 6 deletions(-)
+
+diff --git a/udev/libinput-device-group.c b/udev/libinput-device-group.c
+index 3da904e0..a376872b 100644
+--- a/udev/libinput-device-group.c
++++ b/udev/libinput-device-group.c
+@@ -30,6 +30,24 @@
+ 
+ #include "libinput-util.h"
+ 
++/**
++ * Return a sanitized copy of the phys string with control characters
++ * replaced to prevent newline injection in udev properties.
++ */
++static char *
++sanitize_phys(const char *phys)
++{
++	if (!phys)
++		return NULL;
++
++	char *s = safe_strdup(phys);
++	for (char *p = s; *p; p++) {
++		if ((unsigned char)*p < 0x20 || *p == 0x7f)
++			*p = '?';
++	}
++	return s;
++}
++
+ #if HAVE_LIBWACOM
+ #include <libwacom/libwacom.h>
+ 
+@@ -109,7 +127,8 @@ wacom_handle_ekr(struct udev_device *device,
+ 
+ 	udev_list_entry_foreach(entry, udev_enumerate_get_list_entry(e)) {
+ 		struct udev_device *d;
+-		const char *path, *phys;
++		char *phys = NULL;
++		const char *path;
+ 		const char *pidstr, *vidstr;
+ 		int pid, vid, dist;
+ 
+@@ -124,7 +143,7 @@ wacom_handle_ekr(struct udev_device *device,
+ 
+ 		vidstr = udev_device_get_property_value(d, "ID_VENDOR_ID");
+ 		pidstr = udev_device_get_property_value(d, "ID_MODEL_ID");
+-		phys = udev_device_get_sysattr_value(d, "phys");
++		phys = sanitize_phys(udev_device_get_sysattr_value(d, "phys"));
+ 
+ 		if (vidstr && pidstr && phys &&
+ 		    safe_atoi_base(vidstr, &vid, 16) &&
+@@ -138,10 +157,12 @@ wacom_handle_ekr(struct udev_device *device,
+ 				best_dist = dist;
+ 
+ 				free(*phys_attr);
+-				*phys_attr = safe_strdup(phys);
++				*phys_attr = phys;
++				phys = NULL;
+ 			}
+ 		}
+ 
++		free(phys);
+ 		udev_device_unref(d);
+ 	}
+ 
+@@ -154,8 +175,8 @@ int main(int argc, char **argv)
+ 	int rc = 1;
+ 	struct udev *udev = NULL;
+ 	struct udev_device *device = NULL;
+-	const char *syspath,
+-	           *phys = NULL;
++	const char *syspath;
++	char *phys = NULL;
+ 	const char *product;
+ 	int bustype, vendor_id, product_id, version;
+ 	char group[1024];
+@@ -180,7 +201,7 @@ int main(int argc, char **argv)
+ 	while (device != NULL) {
+ 		struct udev_device *parent;
+ 
+-		phys = udev_device_get_sysattr_value(device, "phys");
++		phys = sanitize_phys(udev_device_get_sysattr_value(device, "phys"));
+ 		if (phys)
+ 			break;
+ 
+@@ -251,6 +272,7 @@ int main(int argc, char **argv)
+ 
+ 	rc = 0;
+ out:
++	free(phys);
+ 	if (device)
+ 		udev_device_unref(device);
+ 	if (udev)
+-- 
+2.45.4
+
diff --git a/SPECS/libinput/libinput.spec b/SPECS/libinput/libinput.spec
@@ -3,12 +3,13 @@
 Summary:        Input device library
 Name:           libinput
 Version:        1.25.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 URL:            https://www.freedesktop.org/wiki/Software/libinput/
 Source0:        https://gitlab.freedesktop.org/libinput/libinput/-/archive/%{version}/%{name}-%{version}.tar.bz2
+Patch0:         CVE-2026-50292.patch
 
 BuildRequires:  check
 BuildRequires:  gcc
@@ -48,7 +49,7 @@ The %{name}-test package contains the libinput test suite. It is not
 intended to be run by users.
 
 %prep
-%autosetup
+%autosetup -p1
 
 %build
 %meson -Ddebug-gui=false \
@@ -104,6 +105,9 @@ find %{buildroot}/%{_mandir}/man1 -type f -regextype posix-egrep -regex "$UTILS_
 %{_mandir}/man1/libinput-test-suite.1*
 
 %changelog
+* Fri Jun 05 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 1.25.0-2
+- Patch for CVE-2026-50292
+
 * Thu Feb 08 2024 Rohit Rawat <rohitrawat@microsoft.com> - 1.25.0-1
 - Upgrade to 1.25.0
 
